General

  • Target

    460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe

  • Size

    1.5MB

  • Sample

    240531-bkv56sae24

  • MD5

    0aa11032569ed0cb4b5dc419ff4a9546

  • SHA1

    231c007ce085606499eea34174fd92911852848c

  • SHA256

    460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249

  • SHA512

    27ceefa9ff530a84e5375aa45ad00b76039d28a35bed79f5f504952401bdde41834ae668790d4c83a9d2f4d61b20d78e425b9badddf27273c35779a088137079

  • SSDEEP

    24576:U2G/nvxW3Ww0trsehgyBX9ONFTyvQa3bGl//rqtI1kg+QwZ0aHaCgPu8RYaJ:UbA30rscgjApSZWtI1t+QihaCUhYu

Malware Config

Targets

    • Target

      460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe

    • Size

      1.5MB

    • MD5

      0aa11032569ed0cb4b5dc419ff4a9546

    • SHA1

      231c007ce085606499eea34174fd92911852848c

    • SHA256

      460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249

    • SHA512

      27ceefa9ff530a84e5375aa45ad00b76039d28a35bed79f5f504952401bdde41834ae668790d4c83a9d2f4d61b20d78e425b9badddf27273c35779a088137079

    • SSDEEP

      24576:U2G/nvxW3Ww0trsehgyBX9ONFTyvQa3bGl//rqtI1kg+QwZ0aHaCgPu8RYaJ:UbA30rscgjApSZWtI1t+QihaCUhYu

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks